Overall, 51 percent did not lock accounts after 10 incorrect password entries, 43 percent accepted the most commonly used passwords such as "password" or "123456" and 86 percent did not meet the requirements to score high enough to be considered adequately safe, Dashlane said.

The way the sites were ranked allowed for them to score between minus 100 to 100. To be considered to have an adequate password policy a website needed a score of 50.

Match.com had the worst password policies, followed by Hulu and Overstock, which both tied for second worst.

Match.com, for example, allowed users to create an account by using only the letter "a" as a password, the study said.

Other sites that scored poorly included Amazon, Groupon, Orbitz, and Victoria's Secret. CNBC requested comment from these companies via email when this embargoed story was released.

"We have always taken the security of our website and customer's personal information very seriously, and certainly long before this list was released," an Orbitz spokeswoman said, via email. "Password security does not necessarily guarantee website security, so we implement a series of industry standard security measures to keep our customer's information safe." She noted that customers can use passwords as long as 32 characters.

The site that scored the highest was Apple. The iPhone maker had a perfect score of 100. Hotmail came in second, followed by theMicrosoftStore website andUPS.

To check out all the scores of the sites that were measured, check out the report on Dashlane's website.